Here’s another case in which people whose data were revealed found out first from the media instead of from the entity responsible for protecting their data. WHAS11 reports:
For the second time in less than a week hundreds of people in Kentuckiana are worrying about identity theft after their employer accidentally released their social security numbers.
A few days ago it happened in Bullitt County schools and now it’s Baptist Hospital East.
350 names of hospital employees appear on this list that was circulated in an e-mail and so do their social security numbers.
When WHAS11 called people on the list, every one of them was stunned it was out there.
Baptist won’t say how many people received this list at the hospital but they say it was supposed to be a reminder to managers about which nurses needed to renew their medical licenses.
In a statement, Baptist East says:
“First and foremost, we want to apologize to the 350 employees affected by this error. As soon as we learned that confidential employee information was unknowingly sent to nursing leadership, we acted immediately to prevent the information from being shared. We can assure our employees that this was a single, isolated occurrence.”
The station’s video coverage of the incident gets more into the nurses’ reactions to the breach and their anger that they weren’t notified by the hospital but found out from the news station.
Note that under HHS’s new rules for breach notification as I understand them, the hospital would not have to notify those affected if they determined that there was no significant risk of harm, which they might conclude since the email was sent to department managers and not outside the hospital.